Example 6 with Constraint
use of org.apache.directory.fortress.core.model.Constraint in project directory-fortress-core by apache.
the class Timeout method validate.
/**
* This method is called during entity activation, {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} and ensures the elapsed time a particular entity has been activated does not exceed specified.
* value {@link Constraint#getTimeout()}.
*
* @param session required for {@link Validator} interface but not used here.
* @param constraint contains the elapsed time entity may remain inactive in minutes. Maps listed above.
* @param time contains the current timestamp.
* @param type required by interface, not used here.
* @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_TIMEOUT} if failed.
*/
public int validate(Session session, Constraint constraint, Time time, VUtil.ConstraintType type) {
int rc = GlobalErrIds.ACTV_FAILED_TIMEOUT;
long timeLimit;
long lastTime = session.getLastAccess();
if (lastTime == 0) {
rc = 0;
} else {
long elapsedTime = System.currentTimeMillis() - lastTime;
timeLimit = constraint.getTimeout() * 60000L;
if ((elapsedTime < timeLimit) || (constraint.getTimeout() == 0)) {
rc = 0;
}
}
return rc;
}
Also used :
Constraint(org.apache.directory.fortress.core.model.Constraint)
Example 7 with Constraint
use of org.apache.directory.fortress.core.model.Constraint in project directory-fortress-core by apache.
the class ClockTime method validate.
/**
* This method is called during entity activation, {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} and ensures the current time is
* between {@link Constraint#getBeginTime()} and {@link org.apache.directory.fortress.core.model.Constraint#getBeginTime()}.
*
* @param session required for {@link Validator} interface but not used here.
* @param constraint contains the begin and end times. Maps listed above.
* @param time contains the current time.
* @param type required by interface, not used here.
* @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_TIME} if failed.
*/
@Override
public int validate(Session session, Constraint constraint, Time time, VUtil.ConstraintType type) {
int rc = GlobalErrIds.ACTV_FAILED_TIME;
if ((constraint.getBeginTime() == null) || (constraint.getBeginTime().compareToIgnoreCase(GlobalIds.NONE) == 0)) {
rc = 0;
} else {
Integer beginTime = Integer.valueOf(constraint.getBeginTime());
Integer endTime = Integer.valueOf(constraint.getEndTime());
if ((beginTime == 0) && (endTime == 0)) {
rc = 0;
} else {
if (beginTime.compareTo(time.currentTime) <= 0 && endTime.compareTo(time.currentTime) >= 0) {
rc = 0;
}
}
}
return rc;
}
Also used :
Constraint(org.apache.directory.fortress.core.model.Constraint)
Example 8 with Constraint
use of org.apache.directory.fortress.core.model.Constraint in project directory-fortress-core by apache.
the class Date method validate.
/**
* This method is called during entity activation, {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} and ensures the current date is
* between {@link Constraint#getBeginDate()} and {@link Constraint#getEndDate()}.
*
* This validation routine allows for either beginDate or endDate to be null or set to "none" which will disable the corresponding check.
* For example if beginDate is null or equal to 'none', the validator will not skip the date eval for begin date.
* If either begin or end dates are set the validator will compare to the current date to ensure within range.
* If set, the expected date format is YYYYMMDD. For example, '20110101' equals Jan 1, 2011.
*
* @param session required for {@link Validator} interface but not used here.
* @param constraint contains the begin and end dates. Maps listed above.
* @param time contains the current time stamp.
* @param type required by interface, not used here.
* @return '0' if validation succeeds else {@link GlobalErrIds#ACTV_FAILED_DATE} if failed.
*/
@Override
public int validate(Session session, Constraint constraint, Time time, VUtil.ConstraintType type) {
int rc = GlobalErrIds.ACTV_FAILED_DATE;
boolean noBegin = false;
boolean noEnd = false;
if (constraint.getBeginDate() == null || constraint.getBeginDate().compareToIgnoreCase(GlobalIds.NONE) == 0) {
noBegin = true;
}
if (constraint.getEndDate() == null || constraint.getEndDate().compareToIgnoreCase(GlobalIds.NONE) == 0) {
noEnd = true;
}
if (noBegin && noEnd) {
rc = 0;
} else if (noBegin) {
if (constraint.getEndDate().compareTo(time.date) >= 0) {
rc = 0;
}
} else if (noEnd) {
if (constraint.getBeginDate().compareTo(time.date) <= 0) {
rc = 0;
}
} else {
if (constraint.getBeginDate().compareTo(time.date) <= 0 && constraint.getEndDate().compareTo(time.date) >= 0) {
rc = 0;
}
}
return rc;
}
Also used :
Constraint(org.apache.directory.fortress.core.model.Constraint)
Example 9 with Constraint
use of org.apache.directory.fortress.core.model.Constraint in project directory-fortress-core by apache.
the class DSDChecker method validate.
/**
* This method is called during entity activation, {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} and ensures the role does not violate dynamic separation of duty constraints.
*
* @param session contains list of RBAC roles {@link org.apache.directory.fortress.core.model.UserRole} targeted for activation.
* @param constraint required for Validator interface, not used here..
* @param time required for Validator interface, not used here.
* @param type required by interface, not used here.
* @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DSD} if failed.
*/
@Override
public int validate(Session session, Constraint constraint, Time time, VUtil.ConstraintType type) throws org.apache.directory.fortress.core.SecurityException {
int rc = 0;
int matchCount;
// get all candidate activated roles user:
List<UserRole> activeRoleList = session.getRoles();
if (activeRoleList == null || activeRoleList.size() == 0) {
return rc;
}
// Depending on if session is group or user session, fill objects
String contextId = session.isGroupSession() ? session.getGroup().getContextId() : session.getUser().getContextId();
String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
String entityType = session.isGroupSession() ? "groupName" : "userId";
// get the list of authorized roles for this user/group:
Set<String> authorizedRoleSet = RoleUtil.getInstance().getInheritedRoles(activeRoleList, contextId);
// only need to check DSD constraints if more than one role is being activated:
if (authorizedRoleSet != null && authorizedRoleSet.size() > 1) {
// get all DSD sets that contain the candidate activated and authorized roles,
// If DSD cache is disabled, this will search the directory using authorizedRoleSet
Set<SDSet> dsdSets = SDUtil.getInstance().getDsdCache(authorizedRoleSet, contextId);
if (dsdSets != null && dsdSets.size() > 0) {
for (SDSet dsd : dsdSets) {
Iterator<UserRole> activatedRoles = activeRoleList.iterator();
matchCount = 0;
Set<String> map = dsd.getMembers();
// now check the DSD on every role activation candidate contained within session object:
while (activatedRoles.hasNext()) {
UserRole activatedRole = activatedRoles.next();
if (map.contains(activatedRole.getName())) {
matchCount++;
if (matchCount >= dsd.getCardinality()) {
activatedRoles.remove();
String warning = "validate " + entityType + " [" + entityId + "] failed activation of assignedRole [" + activatedRole.getName() + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
LOG.warn(warning);
rc = GlobalErrIds.ACTV_FAILED_DSD;
session.setWarning(new ObjectFactory().createWarning(rc, warning, Warning.Type.ROLE, activatedRole.getName()));
}
} else {
Set<String> parentSet = RoleUtil.getInstance().getAscendants(activatedRole.getName(), contextId);
// now check for every role inherited from this activated role:
for (String parentRole : parentSet) {
if (map.contains(parentRole)) {
matchCount++;
if (matchCount >= dsd.getCardinality()) {
String warning = "validate " + entityType + " [" + entityId + "] assignedRole [" + activatedRole.getName() + "] parentRole [" + parentRole + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
rc = GlobalErrIds.ACTV_FAILED_DSD;
// remove the assigned role from session (not the authorized role):
activatedRoles.remove();
session.setWarning(new ObjectFactory().createWarning(rc, warning, Warning.Type.ROLE, activatedRole.getName()));
LOG.warn(warning);
// Breaking out of the loop because assigned role has been removed from session.
break;
}
}
}
}
}
}
}
}
return rc;
}
Also used :
SDSet(org.apache.directory.fortress.core.model.SDSet)
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
UserRole(org.apache.directory.fortress.core.model.UserRole)
Constraint(org.apache.directory.fortress.core.model.Constraint)
Aggregations
Constraint (org.apache.directory.fortress.core.model.Constraint)9
ArrayList (java.util.ArrayList)2
ObjectFactory (org.apache.directory.fortress.core.model.ObjectFactory)2
UserRole (org.apache.directory.fortress.core.model.UserRole)2
Validator (org.apache.directory.fortress.core.util.time.Validator)2
ValidationException (org.apache.directory.fortress.core.ValidationException)1
SDSet (org.apache.directory.fortress.core.model.SDSet)1
Time (org.apache.directory.fortress.core.util.time.Time)1
